From 4052beb0e908e206956eee5b479de283173d1801 Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Wed, 1 Apr 2015 17:47:37 +0200
Subject: [PATCH] Fixed hidden fields output (backported; fixes problem with
 security role editiom).

---
 includes/ui/ui_controls.inc | 14 +++++++++++++-
 includes/ui/ui_input.inc    |  7 ++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc
index 65e0071c..c6a0dd4d 100644
--- a/includes/ui/ui_controls.inc
+++ b/includes/ui/ui_controls.inc
@@ -49,6 +49,16 @@ function start_form($multi=false, $dummy=false, $action="", $name="")
 
 }
 
+/*
+	Flush hidden fields buffer.
+*/
+function output_hidden()
+{
+	global $hidden_fields;
+
+	echo implode('', $hidden_fields);
+	$hidden_fields = array();
+}
 //---------------------------------------------------------------------------------
 
 function end_form($breaks=0)
@@ -62,7 +72,8 @@ function end_form($breaks=0)
 	hidden('_modified', get_post('_modified', 0));
 	hidden('_token', $_SESSION['csrf_token']);
 	
-	echo implode('', $hidden_fields)."</form>\n";
+	output_hidden();
+	echo "</form>\n";
 	$Ajax->activate('_token');
 }
 
@@ -94,6 +105,7 @@ function start_table($class=false, $extra="", $padding='2', $spacing='0')
 function end_table($breaks=0)
 {
 	echo "</table></center>\n";
+	output_hidden();
 	if ($breaks)
 		br($breaks);
 }
diff --git a/includes/ui/ui_input.inc b/includes/ui/ui_input.inc
index 4f02f9b2..0e58b36b 100644
--- a/includes/ui/ui_input.inc
+++ b/includes/ui/ui_input.inc
@@ -85,7 +85,12 @@ function input_num($postname=null, $dflt=0)
 }
 
 //---------------------------------------------------------------------------------
-$hidden_fields = array();	// store for hiddn fields attached just before form end (for proper html validation)
+//
+//	Thanks to hidden fields buffering hidden() helper can be used in arbitrary places and 
+//  proper html structure is still preserved. Buffered hidden fields are output on the nearest 
+//  table or form closing tag (see output_hidden()).
+//
+$hidden_fields = array();
 
 function hidden($name, $value=null, $echo=true)
 {
-- 
2.30.2